Roy, I will quote from https://www.mediawiki.org/wiki/Reporting_security_bugs
"We support responsible disclosure and we hope that anyone who finds a potential security issue in our ecosystem acts with discretion and forbearance"
Thank you.

For everyone else, yes protecting the secrets that you place in your tools account is a good idea.

On Wed, Jan 29, 2020 at 7:53 PM Roy Smith <roy@panix.com> wrote:
I was poking around in /data/project/ just now, looking for examples of how other tools set up their django apps.  I was surprised (well, only a little) to discover that there's a few world-readable app.py files that have their django_secrets embedded in them.

That's not a good idea folks.  Secrets should not be stored anyplace that's world-readable.


_______________________________________________
Wikimedia Cloud Services mailing list
Cloud@lists.wikimedia.org (formerly labs-l@lists.wikimedia.org)
https://lists.wikimedia.org/mailman/listinfo/cloud


--
Nick "Quiddity" Wilson (he/him)
Community Engagement - Documentation
Wikimedia Foundation